Security NewsWatch

NSI Security NewsWatch Banner

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.

View in Your Browser at http://nsi.org/Security_NewsWatch/NewsWatch/5.25.16.html

In this issue — May 25, 2016

  • Security Programs Don’t Do Enough to Mitigate Insider Risk
  • Navy to Train Up a Hacking Team
  • TSA Failing Badly at Cybersecurity
  • Government, Industry Studying Threat of Nuclear EMP Attack on Electrical Grid
  • 1 Year after OPM Breach, Fed Cybersecurity Continues to Struggle
  • Ransomware Is Now Top Security Threat
  • Cyber’s Hot, But Low-Tech Spies Still a Threat
  • New Law Puts Onus on Contractors to Tighten IT Security
  • Hacktivism and the Insider Threat
  • Bill Would Create Cybersecurity Supergroup to Train State, Private Partners

Security Programs Don’t Do Enough to Mitigate Insider Risk (CIO, 5/23/16)

Employee-related security risks top the list of concerns for security professionals, but organizations aren’t doing enough to prevent negligent employee behavior, according to a new study.  The Ponemon Institute surveyed 601 individuals at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors.

Sixty-six percent of respondents said employees are the weakest link their efforts to create a strong security posture, and 55% said their organization had suffered a security incident or data breach due to a malicious or negligent employee. More

Navy to Train Up a Hacking Team (Info Security, 5/20/16)

The U.S. Navy is planning to create its own team of ethical sailor-hackers.  In a job posting, the Navy outlined its requirements for the Ethical Hacker program, an intensive five-day course that will take next month in San Diego.

It’s looking for 34 candidates to fill the seats, to undertake training administered by the International Council of Electronic Commerce Consultants or an authorized partner.  The course consists of a combination of lectures, team activities, and case studies, followed by beyond-site certification testing. More

TSA Failing Badly at Cybersecurity (Engadget, 5/20/16)

Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service.  The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols.

Issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.  What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time. More

Government, Industry Studying Threat of Nuclear EMP Attack on Electrical Grid (DC Free Beacon, 5/19/16)

American power companies are studying ways to protect electric grids against a high-altitude nuclear blast and other directed energy attacks that could severely disrupt electricity transmission, an industry representative told a Senate hearing last week.

Scott Aaronson, managing director for cyber and infrastructure security at the Edison Electric Institute, said a consortium of U.S. electric companies is working with the Energy Department to study how to protect power grids from a nuclear blast-produced electromagnetic pulse attack or solar flares that could damage transformers and other electric components and shut down power for millions of Americans. More

1 Year after OPM Breach, Fed Cybersecurity Continues to Struggle (Government Technology, 5/19/16)

Despite repeated high-profile breaches, federal government continues to struggle with its job of keeping personal data and public infrastructure safe.  Survey results released recently revealed a federal landscape struggling to keep up with cyberthreats or even to understand its own assets and infrastructure.

According to The State of Cybersecurity from the Federal Cyber Executive Perspective report, released by KPMG, 59% of federal workers say their agencies struggle to understand how cyber attackers could potentially breach their systems, while 40% were unaware where their key assets were located.  About 65% said the federal government as a whole cannot detect ongoing attacks. More

Ransomware Is Now Top Security Threat (IT Business Edge, 5/19/16)

It seems like ransomware is mentioned in every other security article you read.  There’s a good reason for this: Ransomware is the biggest threat to enterprise security today, according to Kaspersky Lab.  In its Threat Evolution report for the first quarter of 2016, security experts discovered nearly 3,000 ransomware malware modifications.

Ransomware has surpassed advanced persistent threats as the most troublesome threat.  The three ransomware families causing the most damage in the first quarter were TeslaCrypt, CTB-Locker, and CryptoWall, with the ransomware known as Locky being the most widespread malware. More

******************************************************************************************

Want to Ace Your Next Security Inspection? Awareness Is Key

Protecting classified information depends, today more than ever, on the security awareness of employees.   They can literally make or break your security program.  And the stakes have been raised even higher with the DSS Security Rating Matrix, which puts heightened emphasis on employee education and awareness.  In fact, one of the top three deficiencies cited by IS Reps around the country is a “weak security education program.”

So, how can you achieve a “Superior” inspection rating and avoid having to answer for negligent employee behavior?  The secret lies in just three little words: EMPLOYEE SECURITY CONNECTION – the proven security awareness solution exclusively for cleared defense contractors and government agencies.  It’s the best way to ensure your employees are prepared for your next security audit.  To learn more about how this valuable resource can help motivate your employees to practice good security habits…help you achieve “superior” inspection results…and satisfy a major NISPOM awareness requirement… please click on the following link: http://nsi.org/es-connection.html

******************************************************************************************

Cyber’s Hot, But Low-Tech Spies Still a Threat (The National Interest, 5/18/16)

It was recently made public that U.S. Navy Lt. Cmdr. Edward Lin was arrested by the Naval Criminal Investigative Service on September 11, 2015, and is in pretrial confinement charged with passing secrets to a foreign government, patronizing prostitutes and committing adultery (the latter being a crime under military law).  Lin pleaded not guilty.

Lin’s arrest is a stark reminder that traditional espionage is ongoing, and despite such a global focus on securing computer systems in the wake of (alleged) Chinese hacking of the OPM, Edward Snowden’s theft of NSA data, Bradley Manning’s release of classified information to the website WikiLeaks, and several others, we must continue and renew the focus on countering all of the foreign intelligence methods used to obtain U.S. information. More

New Law Puts Onus on Contractors to Tighten IT Security (Federal Computer Week, 5/18/16)

It’s official: The government requires minimum cybersecurity standards for contractors that store sensitive information in their IT systems.  A new rule aimed at systems that store controlled unclassified information and classified information is one result of the White House’s 2010 executive order aimed at bolstering CUI protections.

“Systems that contain classified information, or CUI such as personally identifiable information, require more than the basic level of protection,” a May 16 Federal Register notice states.  The regulation was issued by the Defense Department, the General Services Administration, and NASA. More

Hacktivism and the Insider Threat (CMS Wire, 5/18/16)

Stories of security breaches that originated inside the organization have flooded the news in recent years, with Edward Snowden and the National Security Agency being the best known example.  In addition to elevating the data privacy conversation to the international level, these stories shine a light on a trend that has become common: Insiders cause more data breaches, on average, than anyone else.

While the word “hacktivism” may be relatively new, it’s an activity that most people are already aware of—specifically from stories surrounding Snowden’s infiltration of the NSA computer systems and furthered by the hacking collective Anonymous in its attacks against banks, the government, and politicians.  More

Bill Would Create Cybersecurity Supergroup to Train State, Private Partners (FierceGovernmentIT, 5/18/16)

A bill that would create a national group to help states and first responders improve cybersecurity overwhelmingly passed the House last week.  The National Cybersecurity Preparedness Consortium Act of 2016 passed by a 394-3 vote and now moves to the Senate, where it was referred to the Committee on Homeland Security and Governmental Affairs.

The bill would authorize the Department of Homeland Security to establish a consortium to engage a full spectrum of academic, business, and nonprofit partners, as well as those in federal, state, and local governments, to address cybersecurity risks and incidents.  This would include risks related to terrorism, according to a summary of the bill by the Congressional Research Service. More